diff options
| author | Kévin Le Gouguec <kevin.legouguec@airbus.com> | 2018-11-26 10:04:57 +0100 |
|---|---|---|
| committer | Kévin Le Gouguec <kevin.legouguec@airbus.com> | 2018-11-26 10:04:57 +0100 |
| commit | fe904e50a463aa0765df687a146d698e041b4103 (patch) | |
| tree | 5328db759b79131e0dbfff6307a1706cdea244bc | |
| parent | fc7f6f86fb89adfb12289e69ed1e57f6bfa7e607 (diff) | |
| download | lilliput-ae-implem-fe904e50a463aa0765df687a146d698e041b4103.tar.xz | |
Implémentation du mode ΘCB3 : chiffrement - données authentifiées
| -rw-r--r-- | crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c | 73 |
1 files changed, 64 insertions, 9 deletions
diff --git a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c index f67be07..e5b27e5 100644 --- a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c +++ b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c @@ -6,6 +6,14 @@ #include "lilliput-ae.h" +/* Most-significant nibbles for tweak values */ +#define TWEAK_AD 0x2 +#define TWEAK_AD_PADDING 0x6 +#define TWEAK_MESSAGE 0x0 +#define TWEAK_MESSAGE_NO_PADDING 0x1 +#define TWEAK_MESSAGE_PADDING 0x5 + + static void _lilliput_tbc(const uint8_t key[KEY_BYTES], const uint8_t tweak[TWEAK_BYTES], const uint8_t message[BLOCK_BYTES], @@ -20,23 +28,70 @@ static void _xor_into(size_t len, uint8_t dest[len], uint8_t src[len]) dest[i] ^= src[i]; } +static void _pad10(size_t len, const uint8_t buf[len], uint8_t padded[BLOCK_BYTES]) +{ + /* Assume that len<BLOCK_BYTES. */ + memcpy(padded, buf, len); + padded[len] = 0x80; + + if (len+1 < BLOCK_BYTES) + { + memset(padded+len+1, 0, BLOCK_BYTES-len-1); + } +} + +static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEAK_BYTES]) +{ + /* The 128-bit tweak is filled as follows: + * + * - bits 127-124: constant 4-bit prefix + * - bits 123-0: block number + * - bits 123-64: 0-padding + * - bits 63-0: actual 64-bit block number + */ + + for (size_t i=0; i<sizeof(block_nb); i++) + { + uint64_t mask = (uint64_t)0xff << 8*i; + uint8_t b = (mask & block_nb) >> 8*i; + + tweak[0] = b; + } + + /* Assume bytes 8 to 15 have already been memset to 0. */ + + tweak[TWEAK_BYTES-1] ^= prefix << 4; +} + static void _process_associated_data( const uint8_t key[KEY_BYTES], - size_t auth_data_len, const uint8_t auth_data[auth_data_len], - uint8_t auth[BLOCK_BYTES] + size_t A_len, const uint8_t A[A_len], + uint8_t Auth[BLOCK_BYTES] ) { - size_t l_a = auth_data_len / BLOCK_BYTES; + uint8_t Ek_Ai[BLOCK_BYTES]; + uint8_t tweak[TWEAK_BYTES]; + + memset(tweak, 0, BLOCK_BYTES); + memset(Auth, 0, BLOCK_BYTES); - memset(auth, 0, BLOCK_BYTES); + size_t l_a = A_len / BLOCK_BYTES; + size_t rest = A_len % BLOCK_BYTES; for (size_t i=0; i<l_a; i++) { - uint8_t tweak[TWEAK_BYTES]; - /* TODO: generate tweak */ - uint8_t Ek_Ai[BLOCK_BYTES]; - _lilliput_tbc(key, tweak, auth_data+i*BLOCK_BYTES, Ek_Ai); - _xor_into(BLOCK_BYTES, auth, Ek_Ai); + _fill_ad_tweak(TWEAK_AD, i, tweak); + _lilliput_tbc(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai); + _xor_into(BLOCK_BYTES, Auth, Ek_Ai); + } + + if (rest != 0) + { + uint8_t A_rest[BLOCK_BYTES]; + _pad10(rest, &A[l_a*BLOCK_BYTES], A_rest); + _fill_ad_tweak(TWEAK_AD_PADDING, l_a, tweak); + _lilliput_tbc(key, tweak, A_rest, Ek_Ai); + _xor_into(BLOCK_BYTES, Auth, Ek_Ai); } } |